This week we’re answering a few more questions that routinely come to us from attorneys or business owners/management either at the outset or in the course of working a digital forensic investigation.
How long after a suspected incident on a computer can you retrieve useable information?
The short answer is, forever, as long as the drive 
has not been truly wiped or physically destroyed. Realistically, the shorter the timeframe between the incident or action on the computer, and it being forensically imaged, the better. The more time that transpires, the greater the potential for evidence to be changed and overwritten. “How?” you might ask. For instance, if a file is deleted, it’s not actually removed from the computer’s hard drive until it’s overwritten with another file. Thus, if it was deleted a year ago, despite the fact that the computer has been used by someone else since then, it is quite possible that the action and reference to the file still exists on the drive. However, the content of the file may have been affected by being partially, or worst case, completely overwritten. We encounter such scenarios and it’s not a complete loss, but less than ideal. Which is why we say the sooner you can set aside the computer or device that you suspect illicit activity occurred on, the better. Some clients will set aside the machine used for a certain time period (say 2 months) in the event information comes to light that their former employee has moved on with ill-gotten data to a new employer, or started their own venture. Another alternative is to have a qualified, outside expert like us, or your folks in your IT department (with training which we can do, just ask) make a proper forensic image to retain a snapshot of the machine. This is imperative to do before the device can be placed back into service. I’d also add that we have several clients who now (having worked with us for a few years) give us the laptop of anyone in a sensitive position for a short time period so we can make a quick forensic image. We then run a cursory check for recent USB drive usage, email of interest and survey online file storage (Google Docs, Dropbox, etc.) for any inappropriate activities that might have been conducted before the employee left.
If someone has a phone with txt messages of interest, but they have been deleted, can they be retrieved?
Sometimes. There are a number of ways we can 
try to retrieve deleted txt messages on smartphones. The first is obviously with the phone itself. We can take an image of the phone and attempt to recover the txts that were deleted. The recovery from the phone itself tends to be fairly time sensitive. The more time that has lapsed since the messages were deleted, the less likely they are resident on the device hence limiting recovery. However, there are several other places to be examined as well that are oftentimes overlooked. If the phone has been connected to a computer there is a good chance that a backup was performed. Sometimes this backup occurs without the user even realizing it, particularly when syncing media or merely plugging it up to the computer to be charged. If we can gain access to the computer, we can take a forensic image of it and extract the backups that exist. I said backups plural because the added benefit of retrieving txt messages this way is that if the device was connected to the computer on more than one occasion, there is a good chance there is more than one backup. More than one backup means we are able to show a chronology of txt messages going back for a much greater time period. This can even span different phones. We’ve found backups from multiple generations of iPhones from the same user/phone number on the same computer a number of times. Finally, don’t forget about the cloud. Particularly with iPhones, which if in a default configuration (typically) will sync your txt messages (oftentimes iMessage if communicating with other IOS users), thus there may be messages stored online. This will typically necessitate having the credentials to the account in order to access, but these messages can be downloaded and analyzed/recovered as well.
Digital forensic examiners, investigators, what’s the difference?
Are they the same? I would say no. There are many competent digital forensic examiners that are able to retrieve data from a multitude of devices. I would say that our added value at Swailes is in working with the interested party to properly maximize the usage of such data. What that means is not every matter or case is the same, nor the individuals we are investigating. You’ll notice we use the word investigate a lot. That’s because the term examiner, while still extolling the virtues of one that can assess what actions were taken on a computer or device, is too one dimensional and limiting. The term investigator, on the other hand, is a more accurate descriptor given the more encompassing role we are utilized in. The role we fulfill as investigators must consider a myriad of variables, not just data retrieving or reconstructing. We carefully consider the evidence that’s being presented, the overarching issue at hand (IP theft, misuse, hacking, etc.), the subjects of the investigation (including utilizing our years of experience to understand what their mindset may have been at the time of their departure), as well as the client’s needs (business, attorney, attorney on behalf of a business as well as internal use, licensing, administration, litigation, etc). Not all findings carry the same weight depending on all the aforementioned variables. Thus, the results we put together in the form of a simple report, statement of fact, affidavit or beyond are very much tailored to elicit their maximum value for the client and matter we’re working. We like to say all of this is “the investigative difference”.
As an employer, are there any red flags or warning signs I can look for with data theft?
While sometimes there are no signs that someone 
will take your data, that’s certainly not an absolute. There are some relatively simple things someone, or a business can be on the lookout for when an opportunist is looking to pad their own nest. First might be any change in their behavior. This is more of a general investigative principle but it’s very applicable in scenarios like this. Oftentimes it’s in conjunction with other things going on at the time, meaning that typically someone doesn’t decide to pull up roots and steal without reason. Some examples of classic justifications we’ve seen are: lack of pay raise, sales commission disagreements and being passed over for a promotion. All of these are factors that we have seen sow seeds of discontentment, or ultimately become the proverbial straw that breaks the camel’s back. Second to be on the lookout for is a higher frequency of intelligence gathering, such as the desire to be even more integral to the team by running point on more projects, becoming the central hub of communication or just offering to take some weight off others’ shoulders. Normally these are the hallmarks of a team player, but in conjunction with someone that feels like they have been wronged, could prove to be a dangerous combination. This disgruntled squirrel could quite possibly be gathering nuts that don’t belong to them. Finally, is being on the lookout for greater reliance on technology, which may have a tinge of secrecy in their use. Meaning the appearance of USB thumb drives or other external USB hard drives to copy data to “assist” but copying more than needed or just saying “I got this” while quickly dragging and dropping files may be an indicator of a setup for wrongdoing. Also, using online storage or personal email to “work on things out of the office” and making it out to not be a big deal when in fact this would be incongruent with this person’s normal workplace activity level. We have also seen this occur with groups of people leaving at the same time. Certainly a number of these things seem like common sense, or like they would be blatantly obvious if they were occurring. However, I can tell you from experience that there is typically a fair bit of emotion involved in these types of situations, which can create “blind spots” making it harder to remain logical.
What are some risk mitigation strategies we can employ to protect our data?
Several immediate things come to mind. First of 
all, ensure you have a signed agreement with your employees (consult an attorney to develop) that establishes that what they work on is not theirs’, it’s company property, and they are to secure and protect that information from dissemination. Also it wouldn’t hurt to include in the employment contract that employees are not to bring IN information from previous employers or from any other place that would not be publicly accessible. Second is creating a security and data protection mindset within the company. If everyone understands the importance of securing the lifeblood of most companies today (intellectual property, trade secret information and other confidential data) then those that deviate from that mindset are more likely to stand out from the team. I’d also note here that this mindset pays dividends overall by helping the organization be more resilient to email phishing attacks, social engineering attempts as well as cyber hacking. I should also point out that the previous question can also be successfully implanted as a proactive exercise with your employees. Finally, consideration can be given to implementing DLP (data loss prevention) software that logs specific actions on specific types of data on users’ machines, as well as the network. There are varying levels of features, complexity and cost associated with this type of software, and its use has been steadily increasing in larger organizations.
#ComputerForensics #DigitalForensics #InsiderThreat #IPTheft #ForensicsFAQ